May 8, 2006

Good Morning:
Happy Monday! Lots to do after an action packed weekend of yard sales, birthday parties and big storms in ATL. I want to highlight a few items as we start off the week. The first is some company's blatant unwillingness to accept responsibility for their own errors. I'm talking about Blue Security, who maintains they didn't cause the DDoS attack on Six Apart. Give me a break! If anything, they are turning what could have been an opportunity to gain sympathy from the Internet community, so one where they will continue to be vilified for doing something stupid and then not admitting it.

Another thing is an interesting post by George Ou about Microsoft's User Account Protection (UAP) capability in Vista. It's a good thing, but it does require user behavior modifications. So there will be lots of consternation as folks get used to it. I also point to a Forrester overview on FFIEC that you can buy for $249. Is that the wave of the research future? Not subscriptions but selling information by the drink, $250 at a time. Not sure, but I'm interested in your perspective. I tend to give most of my stuff away as I prepare more detailed reports that I think people will pay for. But if there is a market for research, $250 at a time - I'm cool with that.

Have a great day.

Top Security News

SMB will UTM
So what? - In Larry Seltzer's eWeek column, he makes the case for why every SMB should have a unified threat management (UTM) device. I couldn't agree more. Though everyone has a slightly different definition of UTM, it doesn't matter. Smaller companies need simplicity and they need integration and that is what UTM brings to the table. Of course, SMB customers are very price sensitive and many will just stick with their desktop only security posture. But for those that don't want to be cleaning up their network every month or so when an employee does something stupid, desktop security is not enough. To be clear, I also think that UTM is very applicable to larger companies as well, but requires much more sophisticated hardware. But simplicity is in and complexity is out, so UTM is definitely something that everyone should be looking at as the perimeter continues to evolve.
http://www.eweek.com/article2/0,1759,1957379,00.asp

Blue Security - It is your fault!
So what? - I know I ranted a bit about Blue Security and their idiocy in directing a DDoS attack at their blog provider, Six Apart - but I'm going to rant a bit more. Over the weekend, these guys evidently decided they weren't at fault. Is that right? Since they didn't see any traffic coming in from outside of Israel, then their corporate site was not under a DDoS. This is non-sensical. The odds that every site they had, but not their main corporate site were targeted is nil. Nada. Not a chance. So it seems their ISP was savvy enough to block the traffic, but once they redirected DNS, Six Apart had to deal with the DDoS. Suffice it to say, these guys get the dummy of the week award last week, and they are shooting for two weeks in a row. Just accept responsibility and move on.
http://www.informationweek.com/story/showArticle.jhtml?articleID=187200875

Does open source heritage matter?
So what? - In this InformationWeek article from Larry Greenemeier, he revisits some of the massive deployment of Snort. It's built into a bunch of products and has had 3 million downloads. Sourcefire, the company founded around Snort, is a leader in the IDS/IPS space. This begs the question about how much of an "advantage" in the security business is having an open source heritage? Way back when, TIS used the Firewall toolkit effectively, but never really hit leadership. Today, you see Tenable driving solutions around the open source Nessus vulnerability scanner that they control. But it's hard to call them a true leader because vuln scanning is a mature market. The conclusion I draw is that open source does help build brand much faster than otherwise possible, but it is not a sure thing to market leadership. Food for thought anyway.
http://www.informationweek.com/story/showArticle.jhtml?articleID=187200570

Controlling the Endpoint - Another NAC overview
So what? - For those that want the Cliffs Note's version of what NAC is and some of the considerations, check out this article at SC Magazine's site. It's an easy read and does a 30,000 foot assessment of what NAC is about. It also reflects one of the points I made last week, in that most people associate NAC only with endpoint hygiene. The editors also excerpt some of my comments on the ForeScout NAC webcast about how to deploy NAC.
http://www.scmagazine.com/us/news/article/553378/controlling+endpoint

The impact of email archiving
So what? - I guess this is just an adjacent conversation to security, but InformationWeek has a detailed and pretty interesting article on email archiving and it's increasing use in the discovery process of legal proceedings. Obviously there are compliance issues around saving email (basically you better be able to produce the goods if Eliot Spitzer comes knocking), but what about for standard legal disputes. How much do you archive, how long do you keep it? Those are questions that every business must ask themselves, but the answer is greater than zero. So you'll need to be doing some type of email archiving, and sooner rather than later.
http://www.informationweek.com/story/showArticle.jhtml?articleID=187200562

Top Blog Postings

Vista UAP will require user behavior modification
George Ou has a great post about the complexities that Microsoft will face as Vista becomes prevalent. Basically because they are doing the right thing from a security standpoint (which is separating out regular user and administrator privileges). But this does change the user experience and that will cause a lot of hand wringing and teeth gnashing when typical end users need to authenticate as the admin or can't do certain functions. This too shall pass and I believe that over time people will appreciate the added security that Vista brings to the table. I don't bitch at all when I have to type in my admin password on my Mac frequently when installing or changing my applications. I expect to have to do that. It's all about managing expectations, and thus far Microsoft has done a poor job. The hope is that by the time Vista is ready for deployment, they have effectively educational materials to train the users on how their experience will change.
http://blogs.zdnet.com/Ou/?p=209

What does open mean?
On the new Dark Reading site, Mike Fratto wonders what open really means. Is is just marketing? Or does it really indicate that things do work together? My opinion is that open is a check mark on an RFP response. Meaning that vendors must say they are open and support open standards, but ultimately that is not their focus. Interoperability is important, but only if a customer drums you over the head. If you are a customer, one of your key selection criteria must be how well a new piece of equipment fits into your infrastructure, which is all about interoperability. Those that think a vendor considers "openness" anything more than something they have to do to close a deal is a bit delusional.
http://www.darkreading.com/document.asp?doc_id=93786

Who does a vendor serve - customers or investors?
In this post on Alex Niehaus' Scrapture blog, he points to a rather inflammatory letter sent to WatchGuard from a grumpy investor. If I was a WatchGuard investor, I'd be grumpy too, but Alex's point is that some companies must cater to Wall Street, perhaps to the exclusion of their customers. I think that's his point anyway, especially since his company (Astaro) is privately held. Fact is, every vendor needs to cater to both customers and investors. They don't get to play if they don't take care of their customers. And it's a lot harder to play if you either alienate or don't have investors. Bootstrapped security companies do exist, but it is a hard path and over time it becomes hard to keep pace as things scale. And ultimately the point is to have some kind of liquidity event, which then puts the investors back in play.
http://www.scraptureblog.com/2006/05/lets_play_hardball_was_that_ap_1.html

FFIEC is coming down: Are you ready?
Forrester uses their blog to push their paid research reports. For a scant $249, you can get their perspectives on FFIEC and what the banks are doing to strengthen online authentication. I guess folks do buy these reports. Hmm. Maybe I should start charging for some of my longer posts. Would you pay $249 for my NAC series? I'm kidding. Back on point, FFIEC is something that every financial institution in the US must deal with, so there will be plenty o panic buying in Q3 and Q4 of this year as folks look to get "compliant." I think that's Forrester's point, but I won't pay the $249 to find out.
http://www.forrester.com/Research/Document/Excerpt/0,7211,39410,00.html

Malware statistics are crap
Amen to Ed Moyle, who makes the point in this post that malware statistics are crap. Actually, bull is the descriptor he used. Fact is, vendors evaluate data THEY see, not all of the data. And they share nuggets in press releases with the content-hungry media. This is not doing a service to anyone. Who cares if we saw a 50% decrease in virus infected emails last month from the month before? Does that mean you can ease off on your defenses? Of course not, so all this stuff is noise level and you shouldn't pay much attention. But as long as the media gets paid based on page views and circulation, they'll always be clamoring for this kind of bunk.
http://www.securitycurve.com/blog/archives/000383.html

Recently on the Security Incite Rants Blog

NAC Attack Part 2: Collaborations of convenience
In the second part of the NAC series, I look at all of the partnering and collaborating around NAC strategies. The BigCo's have realized that NAC is bigger than just them (even though most initially require homogeneous networking infrastructure) - so they are partnering like crazy to make sure they respectively have broad support for what they are doing. Unfortunately the sheer number of partnering makes it almost impossible to figure out what is real, so then nothing is real.
http://securityincite.com/blog/mike-rothman/nac-attack-part-2-collaborations-of-convenience

Read Friday's Daily Incite
http://securityincite.com/blog/mike-rothman/the-daily-incite-may-5-2006